ITsecurity
twitter facebook rss

CosmicDuke – does it highlight the difference between US, Russian and Chinese cyberspies?

F-Secure has discovered a new piece of malware that it is calling CosmicDuke – it appears to derive from both the Cosmu and MiniDuke families of malware. Indeed, it seems to suggest that Cosmu and MiniDuke are related, but evidence within the new malware reverses the accepted timeline. That is, it is now believed that MiniDuke took code from Cosmu.

This is interesting. The MiniDuke targets from last year (NATO, European government organizations, Ukraine) would seem to suggest Russian involvement. CosmicDuke appears to have similar targets:

The filenames and content used in CosmicDuke’s attack files to lure victims contain references to the countries of Ukraine, Poland, Turkey, and Russia, either generally in use of language or included detail, or in allusions to events or institutions. The filenames and content chosen seem to be tailored to their target’s interests, though we have no further information on the identity or location of these victims yet.
CosmicDuke: Cosmu With a Twist of MiniDuke

But Cosmu has been around for a long time, and there is less speculation that Cosmu might be state-driven than that MiniDuke might be. Indeed, Cosmu is most probably traditional east European crimeware, possibly adapted into a state espionage tool via MiniDuke. This is pure speculation, but potentially highlights the difference in spy culture between Russia, the US and China. China has a far more state-centric ethos. “I do it for my country; and if I personally benefit, that’s a bonus.” Russia, and the West in general, is more likely to say, “I do it for myself; and if my country benefits, that’s a bonus.”

There are traditionally three main actors in state-sponsored espionage: China, Russia and the US. We have to consider the US since the ‘duke’ part of the MiniDuke name derives from certain similarities with Duqu, which is almost certainly associated with Stuxnet, which was definitely developed with US involvement. And we obviously have to consider China since we are told that China does most of the world’s spying.

SeanSullivanGiven these considerations, I asked Sean Sullivan, a security researcher with F-Secure, what he thought was the ‘purpose’ of the new CosmicDuke. He replied,

The footprint and methodology of the attacks matches that of crimeware (which has a great deal of connectivity to Russia) — but the goal is different. Or perhaps it isn’t. It may very well be a ‘business venture’ but instead of gathering credit card numbers for sale on a carder forum, these particular criminals sell what they gather to a different sort of buyer. Nothing suggests state-sponsorship in the sense that it is directed from the top down. This could very well be ‘suppliers’ working to meet ‘market demand’.

The subject lines and document names strongly suggest Russian-focus. Documents such as ‘rcs.Ukraine-Gas-Pipelines-Security-Report-March-2014.pdf’.

Even the more traditional bait: I reverse image searched the sex-focused decoy example — and found a set of images… hosted on a Russian website.

Nothing about the campaign suggests China. And it doesn’t fit the footprint of an American program (based on what we now know since last year). That leaves one particular actor to consider.

The big question is whether or not it’s ‘official’ or a matter of ‘contractors’ doing what they normally do but focused on a different sort of information.

What Sullivan is suggesting is that the malware indicates Russian crimeware, but the target suggests Russian state espionage; that there is nothing to suggest Chinese involvement; and that the methodology does not fit with NSA involvement. It is perhaps, then, not too far a leap to suggest that while China and the US use their own state apparatus for cyber espionage, Russia keeps it at one remove from the state by sub-contracting cybercriminals to do it for them.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Submitted in: News, News_malware | Tags: , , , , , ,